diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 09345b3..d53ca24 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,4 +14,4 @@ jobs: - env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} name: Create Release - run: gh release create "${GITHUB_REF#refs/*/}" --notes-file RELEASE_NOTES.md + run: gh release create "${GITHUB_REF#refs/*/}" -t "${GITHUB_REF#refs/*/}" --notes-file RELEASE_NOTES.md diff --git a/CHANGELOG.md b/CHANGELOG.md index c644c55..9665ffc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,12 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.4.3...HEAD) +## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.4.4...HEAD) + +## [0.4.4] - 2023-10-09 + +### Fixed +- [#52](https://github.com/passbolt/charts-passbolt/issues/52) pullPolicy incorrect rendering ## [0.4.3] - 2023-10-06 @@ -29,7 +34,7 @@ This release adds the ability to inject extra pod labels on passbolt pods and bu ### Fixed -- [#41](https://github.com/passbolt/charts-passbolt/issues/41) Update Redis chart to v17.15.2 +- [#41](https://github.com/passbolt/charts-passbolt/issues/41) Update Redis chart to v17.15.2 ## [0.4.0] - 2023-06-28 diff --git a/Chart.yaml b/Chart.yaml index a51ed2d..4b8ed86 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.3 +version: 0.4.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/README.md b/README.md index af631d0..5315327 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ passbolt sails kubernetes -![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.3.0-1-ce](https://img.shields.io/badge/AppVersion-4.3.0--1--ce-informational?style=flat-square) +![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.3.0-1-ce](https://img.shields.io/badge/AppVersion-4.3.0--1--ce-informational?style=flat-square) Passbolt is an open source, security first password manager with strong focus on collaboration. @@ -89,133 +89,133 @@ chart and deletes the release. ## Requirements | Repository | Name | Version | -| ----------------------------------------------------- | ---------------- | ------- | +|-------------------------------------------------------|------------------|---------| | https://charts.bitnami.com/bitnami | mariadb | 11.5.7 | | https://charts.bitnami.com/bitnami | redis | 17.15.2 | | https://download.passbolt.com/charts/passbolt-library | passbolt-library | 0.2.7 | ## Values -| Key | Type | Default | Description | -| ------------------------------------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| affinity | object | `{}` | Configure passbolt deployment affinity | -| app.cache.redis.enabled | bool | `true` | By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php That instructs passbolt to store sessions on redis and to use it as a general cache. | -| app.cache.redis.sentinelProxy.enabled | bool | `true` | Inject a haproxy sidecar container configured as a proxy to redis sentinel Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy | -| app.cache.redis.sentinelProxy.image | object | `{"registry":"","repository":"haproxy","tag":"latest"}` | Configure redis sentinel proxy image | -| app.cache.redis.sentinelProxy.image.repository | string | `"haproxy"` | Configure redis sentinel image repository | -| app.cache.redis.sentinelProxy.image.tag | string | `"latest"` | Configure redis sentinel image tag | -| app.cache.redis.sentinelProxy.resources | object | `{}` | Configure redis sentinel container resources | -| app.extraPodLabels | object | `{}` | | -| app.image.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy | -| app.image.registry | string | `""` | Configure pasbolt deployment image repsitory | -| app.image.repository | string | `"passbolt/passbolt"` | | -| app.image.tag | string | `"4.3.0-1-ce"` | Overrides the image tag whose default is the chart appVersion. | -| app.initImage.client | string | `"mariadb"` | Configure pasbolt deployment init container image client for database | -| app.initImage.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy | -| app.initImage.registry | string | `""` | | -| app.initImage.repository | string | `"mariadb"` | Configure pasbolt deployment image repsitory | -| app.initImage.tag | string | `"latest"` | Overrides the image tag whose default is the chart appVersion. | -| app.resources | object | `{}` | | -| autoscaling.enabled | bool | `false` | Enable autoscaling on passbolt deployment | -| autoscaling.maxReplicas | int | `100` | Configure autoscaling maximum replicas | -| autoscaling.minReplicas | int | `1` | Configure autoscaling minimum replicas | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | Configure autoscaling target CPU uptilization percentage | -| cronJobEmail | object | `{"enabled":true,"extraPodLabels":{},"schedule":"* * * * *"}` | Enable email cron | -| extraVolumeMounts | string | `""` | Add additional volume mounts, e.g. for overwriting config files | -| extraVolumes | string | `""` | Add additional volumes, e.g. for overwriting config files | -| fullnameOverride | string | `""` | Value to override the whole fullName | -| global.imagePullSecrets | list | `[]` | | -| global.imageRegistry | string | `""` | | -| gpgPath | string | `"/etc/passbolt/gpg"` | Configure passbolt gpg directory | -| gpgServerKeyPrivate | string | `""` | Gpg server private key in base64 | -| gpgServerKeyPublic | string | `""` | Gpg server public key in base64 | -| imagePullSecrets | list | `[]` | Configure image pull secrets | -| ingress.annotations | object | `{}` | Configure passbolt ingress annotations | -| ingress.enabled | bool | `false` | Enable passbolt ingress | -| ingress.hosts | list | `[]` | Configure passbolt ingress hosts | -| ingress.tls | list | `[]` | Configure passbolt ingress tls | -| jobCreateGpgKeys.extraPodLabels | object | `{}` | | -| jwtPath | string | `"/etc/passbolt/jwt"` | Configure passbolt jwt directory | -| jwtServerPrivate | string | `nil` | JWT server private key in base64 | -| jwtServerPublic | string | `nil` | JWT server public key in base64 | -| livenessProbe | object | `{"initialDelaySeconds":20,"periodSeconds":10}` | Configure passbolt container livenessProbe | -| mariadb.architecture | string | `"replication"` | Configure mariadb architecture | -| mariadb.auth.database | string | `"passbolt"` | Configure mariadb auth database | -| mariadb.auth.password | string | `"CHANGEME"` | Configure mariadb auth password | -| mariadb.auth.replicationPassword | string | `"CHANGEME"` | Configure mariadb auth replicationPassword | -| mariadb.auth.rootPassword | string | `"root"` | Configure mariadb auth root password | -| mariadb.auth.username | string | `"CHANGEME"` | Configure mariadb auth username | -| mariadb.primary | object | `{"persistence":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}}` | Configure parameters for the primary instance. | -| mariadb.primary.persistence | object | `{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}` | Configure persistence options. | -| mariadb.primary.persistence.accessModes | list | `["ReadWriteOnce"]` | Primary persistent volume access Modes | -| mariadb.primary.persistence.annotations | object | `{}` | Primary persistent volume claim annotations | -| mariadb.primary.persistence.enabled | bool | `true` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | -| mariadb.primary.persistence.existingClaim | string | `""` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas. When it's set the rest of persistence parameters are ignored. | -| mariadb.primary.persistence.labels | object | `{}` | Labels for the PVC | -| mariadb.primary.persistence.selector | object | `{}` | Selector to match an existing Persistent Volume | -| mariadb.primary.persistence.size | string | `"8Gi"` | Primary persistent volume size | -| mariadb.primary.persistence.storageClass | string | `""` | Primary persistent volume storage Class | -| mariadb.primary.persistence.subPath | string | `""` | Subdirectory of the volume to mount at | -| mariadb.secondary | object | `{"persistence":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}}` | Configure parameters for the secondary instance. | -| mariadb.secondary.persistence | object | `{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}` | Configure persistence options. | -| mariadb.secondary.persistence.accessModes | list | `["ReadWriteOnce"]` | Secondary persistent volume access Modes | -| mariadb.secondary.persistence.annotations | object | `{}` | Secondary persistent volume claim annotations | -| mariadb.secondary.persistence.enabled | bool | `true` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | -| mariadb.secondary.persistence.labels | object | `{}` | Labels for the PVC | -| mariadb.secondary.persistence.selector | object | `{}` | Selector to match an existing Persistent Volume | -| mariadb.secondary.persistence.size | string | `"8Gi"` | Secondary persistent volume size | -| mariadb.secondary.persistence.storageClass | string | `""` | Secondary persistent volume storage Class | -| mariadb.secondary.persistence.subPath | string | `""` | Subdirectory of the volume to mount at | -| mariadbDependencyEnabled | bool | `true` | Install mariadb as a depending chart | -| nameOverride | string | `""` | Value to override the chart name on default | -| networkPolicy.enabled | bool | `false` | Enable network policies to allow ingress access passbolt pods | -| networkPolicy.label | string | `"app.kubernetes.io/name"` | Configure network policies label for ingress deployment | -| networkPolicy.namespaceLabel | string | `"ingress-nginx"` | Configure network policies namespaceLabel for namespaceSelector | -| networkPolicy.podLabel | string | `"ingress-nginx"` | Configure network policies podLabel for podSelector | -| nodeSelector | object | `{}` | Configure passbolt deployment nodeSelector | -| passboltEnv.extraEnv | list | `[]` | Environment variables to add to the passbolt pods | -| passboltEnv.extraEnvFrom | list | `[]` | Environment variables from secrets or configmaps to add to the passbolt pods | -| passboltEnv.plain.APP_FULL_BASE_URL | string | `"https://passbolt.local"` | Configure passbolt fullBaseUrl | -| passboltEnv.plain.CACHE_CAKE_DEFAULT_SERVER | string | `"127.0.0.1"` | Configure passbolt cake cache server | -| passboltEnv.plain.DEBUG | bool | `false` | Toggle passbolt debug mode | -| passboltEnv.plain.EMAIL_DEFAULT_FROM | string | `"no-reply@passbolt.local"` | Configure passbolt default email from | -| passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_HOST | string | `"127.0.0.1"` | Configure passbolt default email host | -| passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_PORT | int | `587` | Configure passbolt default email service port | -| passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_TLS | bool | `true` | Toggle passbolt tls | -| passboltEnv.plain.KUBECTL_DOWNLOAD_CMD | string | `"curl -LO \"https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\""` | Download Command for kubectl | -| passboltEnv.plain.PASSBOLT_JWT_SERVER_KEY | string | `"/var/www/passbolt/config/jwt/jwt.key"` | Configure passbolt jwt private key path | -| passboltEnv.plain.PASSBOLT_JWT_SERVER_PEM | string | `"/var/www/passbolt/config/jwt/jwt.pem"` | Configure passbolt jwt public key path | -| passboltEnv.plain.PASSBOLT_KEY_EMAIL | string | `"passbolt@yourdomain.com"` | Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint. | -| passboltEnv.plain.PASSBOLT_LEGAL_PRIVACYPOLICYURL | string | `"https://www.passbolt.com/privacy"` | Configure passbolt privacy url | -| passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED | bool | `true` | Toggle passbolt jwt authentication | -| passboltEnv.plain.PASSBOLT_PLUGINS_LICENSE_LICENSE | string | `"/etc/passbolt/subscription_key.txt"` | Configure passbolt license path | -| passboltEnv.plain.PASSBOLT_REGISTRATION_PUBLIC | bool | `true` | Toggle passbolt public registration | -| passboltEnv.plain.PASSBOLT_SELENIUM_ACTIVE | bool | `false` | Toggle passbolt selenium mode | -| passboltEnv.plain.PASSBOLT_SSL_FORCE | bool | `true` | Configure passbolt to force ssl | -| passboltEnv.secret.CACHE_CAKE_DEFAULT_PASSWORD | string | `"CHANGEME"` | Configure passbolt cake cache password | -| passboltEnv.secret.DATASOURCES_DEFAULT_DATABASE | string | `"passbolt"` | Configure passbolt default database | -| passboltEnv.secret.DATASOURCES_DEFAULT_PASSWORD | string | `"CHANGEME"` | Configure passbolt default database password | -| passboltEnv.secret.DATASOURCES_DEFAULT_USERNAME | string | `"CHANGEME"` | Configure passbolt default database username | -| passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_PASSWORD | string | `"CHANGEME"` | Configure passbolt default email service password | -| passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_USERNAME | string | `"CHANGEME"` | Configure passbolt default email service username | -| podAnnotations | object | `{}` | Map of annotation for passbolt server pod | -| podSecurityContext | object | `{}` | Security Context configuration for passbolt server pod | -| rbacEnabled | bool | `true` | Enable role based access control | -| readinessProbe | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Configure passbolt container RadinessProbe | -| redis.auth.enabled | bool | `true` | Enable redis authentication | -| redis.auth.password | string | `"CHANGEME"` | Configure redis password | -| redis.sentinel.enabled | bool | `true` | Enable redis sentinel | -| redisDependencyEnabled | bool | `true` | Install redis as a depending chart | -| replicaCount | int | `2` | If autoscaling is disabled this will define the number of pods to run | -| service.annotations | object | `{}` | Annotations to add to the service | -| service.name | string | `"https"` | Configure passbolt service port name | -| service.port | int | `443` | Configure passbolt service port | -| service.targetPort | int | `443` | Configure passbolt service targetPort | -| service.type | string | `"ClusterIP"` | Configure passbolt service type | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| tls.autogenerate | bool | `true` | | -| tolerations | list | `[]` | Configure passbolt deployment tolerations | +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Configure passbolt deployment affinity | +| app.cache.redis.enabled | bool | `true` | By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php That instructs passbolt to store sessions on redis and to use it as a general cache. | +| app.cache.redis.sentinelProxy.enabled | bool | `true` | Inject a haproxy sidecar container configured as a proxy to redis sentinel Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy | +| app.cache.redis.sentinelProxy.image | object | `{"registry":"","repository":"haproxy","tag":"latest"}` | Configure redis sentinel proxy image | +| app.cache.redis.sentinelProxy.image.repository | string | `"haproxy"` | Configure redis sentinel image repository | +| app.cache.redis.sentinelProxy.image.tag | string | `"latest"` | Configure redis sentinel image tag | +| app.cache.redis.sentinelProxy.resources | object | `{}` | Configure redis sentinel container resources | +| app.extraPodLabels | object | `{}` | | +| app.image.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy | +| app.image.registry | string | `""` | Configure pasbolt deployment image repsitory | +| app.image.repository | string | `"passbolt/passbolt"` | | +| app.image.tag | string | `"4.3.0-1-ce"` | Overrides the image tag whose default is the chart appVersion. | +| app.initImage.client | string | `"mariadb"` | Configure pasbolt deployment init container image client for database | +| app.initImage.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy | +| app.initImage.registry | string | `""` | | +| app.initImage.repository | string | `"mariadb"` | Configure pasbolt deployment image repsitory | +| app.initImage.tag | string | `"latest"` | Overrides the image tag whose default is the chart appVersion. | +| app.resources | object | `{}` | | +| autoscaling.enabled | bool | `false` | Enable autoscaling on passbolt deployment | +| autoscaling.maxReplicas | int | `100` | Configure autoscaling maximum replicas | +| autoscaling.minReplicas | int | `1` | Configure autoscaling minimum replicas | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Configure autoscaling target CPU uptilization percentage | +| cronJobEmail | object | `{"enabled":true,"extraPodLabels":{},"schedule":"* * * * *"}` | Enable email cron | +| extraVolumeMounts | string | `""` | Add additional volume mounts, e.g. for overwriting config files | +| extraVolumes | string | `""` | Add additional volumes, e.g. for overwriting config files | +| fullnameOverride | string | `""` | Value to override the whole fullName | +| global.imagePullSecrets | list | `[]` | | +| global.imageRegistry | string | `""` | | +| gpgPath | string | `"/etc/passbolt/gpg"` | Configure passbolt gpg directory | +| gpgServerKeyPrivate | string | `""` | Gpg server private key in base64 | +| gpgServerKeyPublic | string | `""` | Gpg server public key in base64 | +| imagePullSecrets | list | `[]` | Configure image pull secrets | +| ingress.annotations | object | `{}` | Configure passbolt ingress annotations | +| ingress.enabled | bool | `false` | Enable passbolt ingress | +| ingress.hosts | list | `[]` | Configure passbolt ingress hosts | +| ingress.tls | list | `[]` | Configure passbolt ingress tls | +| jobCreateGpgKeys.extraPodLabels | object | `{}` | | +| jwtPath | string | `"/etc/passbolt/jwt"` | Configure passbolt jwt directory | +| jwtServerPrivate | string | `nil` | JWT server private key in base64 | +| jwtServerPublic | string | `nil` | JWT server public key in base64 | +| livenessProbe | object | `{"initialDelaySeconds":20,"periodSeconds":10}` | Configure passbolt container livenessProbe | +| mariadb.architecture | string | `"replication"` | Configure mariadb architecture | +| mariadb.auth.database | string | `"passbolt"` | Configure mariadb auth database | +| mariadb.auth.password | string | `"CHANGEME"` | Configure mariadb auth password | +| mariadb.auth.replicationPassword | string | `"CHANGEME"` | Configure mariadb auth replicationPassword | +| mariadb.auth.rootPassword | string | `"root"` | Configure mariadb auth root password | +| mariadb.auth.username | string | `"CHANGEME"` | Configure mariadb auth username | +| mariadb.primary | object | `{"persistence":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}}` | Configure parameters for the primary instance. | +| mariadb.primary.persistence | object | `{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}` | Configure persistence options. | +| mariadb.primary.persistence.accessModes | list | `["ReadWriteOnce"]` | Primary persistent volume access Modes | +| mariadb.primary.persistence.annotations | object | `{}` | Primary persistent volume claim annotations | +| mariadb.primary.persistence.enabled | bool | `true` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | +| mariadb.primary.persistence.existingClaim | string | `""` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas. When it's set the rest of persistence parameters are ignored. | +| mariadb.primary.persistence.labels | object | `{}` | Labels for the PVC | +| mariadb.primary.persistence.selector | object | `{}` | Selector to match an existing Persistent Volume | +| mariadb.primary.persistence.size | string | `"8Gi"` | Primary persistent volume size | +| mariadb.primary.persistence.storageClass | string | `""` | Primary persistent volume storage Class | +| mariadb.primary.persistence.subPath | string | `""` | Subdirectory of the volume to mount at | +| mariadb.secondary | object | `{"persistence":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}}` | Configure parameters for the secondary instance. | +| mariadb.secondary.persistence | object | `{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}` | Configure persistence options. | +| mariadb.secondary.persistence.accessModes | list | `["ReadWriteOnce"]` | Secondary persistent volume access Modes | +| mariadb.secondary.persistence.annotations | object | `{}` | Secondary persistent volume claim annotations | +| mariadb.secondary.persistence.enabled | bool | `true` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | +| mariadb.secondary.persistence.labels | object | `{}` | Labels for the PVC | +| mariadb.secondary.persistence.selector | object | `{}` | Selector to match an existing Persistent Volume | +| mariadb.secondary.persistence.size | string | `"8Gi"` | Secondary persistent volume size | +| mariadb.secondary.persistence.storageClass | string | `""` | Secondary persistent volume storage Class | +| mariadb.secondary.persistence.subPath | string | `""` | Subdirectory of the volume to mount at | +| mariadbDependencyEnabled | bool | `true` | Install mariadb as a depending chart | +| nameOverride | string | `""` | Value to override the chart name on default | +| networkPolicy.enabled | bool | `false` | Enable network policies to allow ingress access passbolt pods | +| networkPolicy.label | string | `"app.kubernetes.io/name"` | Configure network policies label for ingress deployment | +| networkPolicy.namespaceLabel | string | `"ingress-nginx"` | Configure network policies namespaceLabel for namespaceSelector | +| networkPolicy.podLabel | string | `"ingress-nginx"` | Configure network policies podLabel for podSelector | +| nodeSelector | object | `{}` | Configure passbolt deployment nodeSelector | +| passboltEnv.extraEnv | list | `[]` | Environment variables to add to the passbolt pods | +| passboltEnv.extraEnvFrom | list | `[]` | Environment variables from secrets or configmaps to add to the passbolt pods | +| passboltEnv.plain.APP_FULL_BASE_URL | string | `"https://passbolt.local"` | Configure passbolt fullBaseUrl | +| passboltEnv.plain.CACHE_CAKE_DEFAULT_SERVER | string | `"127.0.0.1"` | Configure passbolt cake cache server | +| passboltEnv.plain.DEBUG | bool | `false` | Toggle passbolt debug mode | +| passboltEnv.plain.EMAIL_DEFAULT_FROM | string | `"no-reply@passbolt.local"` | Configure passbolt default email from | +| passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_HOST | string | `"127.0.0.1"` | Configure passbolt default email host | +| passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_PORT | int | `587` | Configure passbolt default email service port | +| passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_TLS | bool | `true` | Toggle passbolt tls | +| passboltEnv.plain.KUBECTL_DOWNLOAD_CMD | string | `"curl -LO \"https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\""` | Download Command for kubectl | +| passboltEnv.plain.PASSBOLT_JWT_SERVER_KEY | string | `"/var/www/passbolt/config/jwt/jwt.key"` | Configure passbolt jwt private key path | +| passboltEnv.plain.PASSBOLT_JWT_SERVER_PEM | string | `"/var/www/passbolt/config/jwt/jwt.pem"` | Configure passbolt jwt public key path | +| passboltEnv.plain.PASSBOLT_KEY_EMAIL | string | `"passbolt@yourdomain.com"` | Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint. | +| passboltEnv.plain.PASSBOLT_LEGAL_PRIVACYPOLICYURL | string | `"https://www.passbolt.com/privacy"` | Configure passbolt privacy url | +| passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED | bool | `true` | Toggle passbolt jwt authentication | +| passboltEnv.plain.PASSBOLT_PLUGINS_LICENSE_LICENSE | string | `"/etc/passbolt/subscription_key.txt"` | Configure passbolt license path | +| passboltEnv.plain.PASSBOLT_REGISTRATION_PUBLIC | bool | `true` | Toggle passbolt public registration | +| passboltEnv.plain.PASSBOLT_SELENIUM_ACTIVE | bool | `false` | Toggle passbolt selenium mode | +| passboltEnv.plain.PASSBOLT_SSL_FORCE | bool | `true` | Configure passbolt to force ssl | +| passboltEnv.secret.CACHE_CAKE_DEFAULT_PASSWORD | string | `"CHANGEME"` | Configure passbolt cake cache password | +| passboltEnv.secret.DATASOURCES_DEFAULT_DATABASE | string | `"passbolt"` | Configure passbolt default database | +| passboltEnv.secret.DATASOURCES_DEFAULT_PASSWORD | string | `"CHANGEME"` | Configure passbolt default database password | +| passboltEnv.secret.DATASOURCES_DEFAULT_USERNAME | string | `"CHANGEME"` | Configure passbolt default database username | +| passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_PASSWORD | string | `"CHANGEME"` | Configure passbolt default email service password | +| passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_USERNAME | string | `"CHANGEME"` | Configure passbolt default email service username | +| podAnnotations | object | `{}` | Map of annotation for passbolt server pod | +| podSecurityContext | object | `{}` | Security Context configuration for passbolt server pod | +| rbacEnabled | bool | `true` | Enable role based access control | +| readinessProbe | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Configure passbolt container RadinessProbe | +| redis.auth.enabled | bool | `true` | Enable redis authentication | +| redis.auth.password | string | `"CHANGEME"` | Configure redis password | +| redis.sentinel.enabled | bool | `true` | Enable redis sentinel | +| redisDependencyEnabled | bool | `true` | Install redis as a depending chart | +| replicaCount | int | `2` | If autoscaling is disabled this will define the number of pods to run | +| service.annotations | object | `{}` | Annotations to add to the service | +| service.name | string | `"https"` | Configure passbolt service port name | +| service.port | int | `443` | Configure passbolt service port | +| service.targetPort | int | `443` | Configure passbolt service targetPort | +| service.type | string | `"ClusterIP"` | Configure passbolt service type | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| tls.autogenerate | bool | `true` | Generates a secret with a self-signed cerfificate that is injected on ingress and passbolt container | +| tolerations | list | `[]` | Configure passbolt deployment tolerations | ## Updating REAME.md diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index e02258c..69cf0c9 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,15 +1,5 @@ -This release introduces several fixes and enhancenments reported by -the community. +This is a small hotfix release that fixes issues reported +by the community regarding the imagePullPolicy on the +deployment resource. -It introduces the possibility to inject SSL certificates as external -secrets to both the ingress object and to the passbolt container -through the `tls.existingSecret`. By default the chart still relies -on the autogenerated SSL certificate if not specified. - -[Deprecation warning]: ingress.tls will be deprecated in future -versions in favour of the new tls{} value to specify secrets. - -[Deprecation warning]: ingress.hosts will be deprecated in future -versions too, new values will be announced. - -For more information please check our [changelog](https://github.com/passbolt/charts-passbolt/blob/0.4.3/CHANGELOG.md) +For more information please check our [changelog](https://github.com/passbolt/charts-passbolt/blob/0.4.4/CHANGELOG.md) diff --git a/templates/deployment.yaml b/templates/deployment.yaml index fc0c262..81587de 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -84,7 +84,7 @@ spec: > /etc/supervisor/conf.d/cron.conf /docker-entrypoint.sh image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.image "global" .Values.global) }} - imagePullPolicy: .Values.app.image.pullPolicy + imagePullPolicy: {{ .Values.app.image.pullPolicy }} ports: - name: https containerPort: {{ .Values.service.targetPort }} @@ -142,7 +142,7 @@ spec: {{- if .Values.app.cache.redis.sentinelProxy.enabled }} - name: {{ $fullName }}-redisproxy image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.cache.redis.sentinelProxy.image "global" .Values.global) }} - imagePullPolicy: .Values.app.cache.redis.sentinelProxy.pullPolicy + imagePullPolicy: {{ .Values.app.cache.redis.sentinelProxy.pullPolicy }} volumeMounts: - mountPath: "/usr/local/etc/haproxy/haproxy.cfg" subPath: haproxy.cfg diff --git a/tests/deployment_image_pull_policy_test.yaml b/tests/deployment_image_pull_policy_test.yaml new file mode 100644 index 0000000..aef8cf7 --- /dev/null +++ b/tests/deployment_image_pull_policy_test.yaml @@ -0,0 +1,32 @@ +--- +suite: image pull policy +release: + name: test +values: + - values-test.yaml +tests: + - it: should have the correct pull policy + templates: + - deployment.yaml + set: + redis.auth.enabled: true + redis.replica.replicaCount: 2 + autoscaling.enabled: false + app.cache.redis.sentinelProxy.enabled: true + app.cache.redis.sentinelProxy.image.repository: haproxy + app.cache.redis.sentinelProxy.image.tag: latest + app.cache.redis.sentinelProxy.pullPolicy: always + app.image.pullPolicy: always + app.initImage.pullPolicy: always + asserts: + - contains: + path: spec.template.spec.containers + content: + imagePullPolicy: always + count: 2 + any: true + - contains: + path: spec.template.spec.initContainers + content: + imagePullPolicy: always + any: true diff --git a/tests/deployment_redis_sidecar_test.yaml b/tests/deployment_redis_sidecar_test.yaml index d0bef7a..b8f65ae 100644 --- a/tests/deployment_redis_sidecar_test.yaml +++ b/tests/deployment_redis_sidecar_test.yaml @@ -99,4 +99,3 @@ tests: asserts: - isNotEmpty: path: spec.template.metadata.annotations.checksum/sec-redis-proxy - diff --git a/values.yaml b/values.yaml index 390efa1..adf83ea 100644 --- a/values.yaml +++ b/values.yaml @@ -314,9 +314,10 @@ service: # -- Annotations to add to the service annotations: {} - tls: + # -- Generates a secret with a self-signed cerfificate that is injected on ingress and passbolt container autogenerate: true + # -- Name of an existing kubernetes secret that contains a SSL certificate to inject on ingress and passbolt container #existingSecret: "" ingress: @@ -333,7 +334,7 @@ ingress: pathType: ImplementationSpecific # -- Configure passbolt ingress tls tls: - # If secretname is not empty, the tls entry will use it, otherwise will + # If secretname is not empty, the tls entry will use it, otherwise will # have a default name based on the release # @ignored - secretName: "tls"